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1.  INTRODUCTION  AND  BACKGROUND 

1. 1 INTRODUCTION 

I 

This  report  attempts  to  provide  a basis  for  quantifying  current  and  projected 
costs  of  USAF  (military)  computer  security  practices  and  the  impact  of  various 
technological  developments  that  will  become  available  in  the  next  five  years. 

Earlier  estimates  of  USAF  computer  security  costs  (AND  72)  were  made  by 
allocating  a percentage  of  the  total  USAF  ADP  expenditures  including  personnel, 
equipment,  site  preparation,  communications,  etc.  The  value  of  that  estimate  has 
been  questioned  because  it  is  based  only  in  part  on  hard  data. 

After  reviewing  the  availability  of  data  that  could  ^e  used  in  determining 
costs  of  computer  security,  it  was  concluded  that  it  would  be  impossible  to  obtain 

I 

comprehensive  cost  data  for  every  item  that  might  contribute  to  computer  security 
costs.  (As  examples:  the  annual  costs  of  guard  forces  required  to  physically  pro- 
tect a computer  site,  the  on-going  costs  of  administrating  clearances  and  lists  of 
authorized  users,  etc. ) 

A major  element  of  computer  security  costs  can  be  directly  related  to  the  number 
of  computer  systems  and  central  processing  units  (CPUs)  in  use,  and  this  data  is 
available.  As  a result,  it  was  decided  to  base  the  study  On  this  available  data  fully 

recognizing  that  some  cost  factors  would  not  be  included.  i In  spite  of  this,  it  is 

I 

believed  that  the  study  is  useful  in  providing  a realistic  lower  bound  on  computer 

security  costs.  ! 

I 

The  analysis  will  attempt  to  put  into  perspective  the  various  factors  entering 
into  the  costs  associated  with  any  particular  alternative,  i Essentially,  it  takes  into 
account  the  uneven  development  of  ADP  practices  in  the  Air  Force  and  recognizes 
that  due  to  the  relatively  simple  level  of  some  processing  being  performed  In  some 
installations,  that  their  current  and  near-term  security  needs  are  met  by  quite  simple 
security  methods.  While  simple  methods  may  in  many  instances  be  acceptable  today, 
it  is  not  clear  that  they  will  remain  so  in  the  future.  The  trend  to  more  on-line 
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Integrated  networks  of  computers  noted  in  (SAD,  74)  is  real,  and  obsoletes  the 
traditional  (simple^)  protection  mechanisms  from  the  beginning.  While  there  has 
been  increased  interest  in  determining  costs  of  following  (or  not  following)  various 
security  development  policies,  to  date,  there  has  been  no  methodology  applicable  to 
military  systems. 

A recent  PhD  thesis  by  Goldstein  (GOL  75)  has  developed  a cost  model  for 
implementing  privacy  controls.  The  methodology  used  in  that  analysis  develops 
costs  of  personnel  (in  categories  of  programmer,  executive,  clerical,  auditing), 
cost  of  capital  and  costs  of  hardware  (storage  and  processing  elements). 

Goldstein  was  attempting  to  assess  the  impact  in  the  civilian  section  of  various 
requirements  of  the  (then  proposed)  jjrivacy  l^islation  on  on-going  data  processing 
operations  that  did  not  have  to  meet  any  of  the  requirements  previously.  Secondly, 
the  requirements  studied  by  Goldstein  included  a variety  of  items  important  to 
'privacy*,  but  not  security  such  as  notification  to  data  subjects  of  the  existence  of 
records  on  them;  handling  inquiries  (existence,  accuracy)  r^arding  records,  employee 
training,  consent  to  transfer  data  and  the  like.  Only  the  costs  of  physical  security 
could  be  considered  relevant  to  the  intent  of  this  study.  Goldstein's  study  is  not 
especially  useful  even  in  regard  to  physical  security  because  it  assumes  that  there 
was  no  physical  security  before  and  provides  no  standards  on  which  to  relate  the 
estimated  one-time  costs  for  securing  a site.  His  on-going  costs  for  physical 
security  are  primarily  those  associated  vi  th  a guard  force. 
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I 

i 

i 

I 

1. 2 SECURITY  THREAT 

This  study  is  based  on  two  premises;  that  there  exists  a class  of  data  that 

requires  protection,  and  that  there  exists  a threat  of  clandestine^^^  operations 

against  the  Air  Force  for  the  purpose  of  acquiring  such  data  in  connection  with 

espionage  required  to  support  war  plans,  or  for  the  purpose  of  corrupting  the  data 
(2) 

to  cause  a pin-down'  ' of  some  part  of  the  USAF  operational  resources. 

The  data  requiring  protection  is  that  data  classified  in  accordance  with 
DoD  5200.1  and  AFR  205-1;  (commonly  called  classified  data). 

In  general,  the  analysis  is  based  on  an  understanding  of  the  technical  vulner 
abilities  of  modern  computing  systems  and  the  limitations  on  operating  flexibility 
that  the  vulnerabilities  impose  rather  than  the  measured  extent  to  which  an  actual 
enemy  threat  exists.  Thus,  the  analysis  is  based  on  the  manner  in  which  computer 
systems  are  used  to  overcome  or  minimize  the  effect  of  technical  vulnerabilities 
rather  than  on  current  intelligence  estimates  which  are  ephemeral. 


I 


(1)  activities  sponsored  or  conducted  by  a nation  against  another  nation  using 
secret  or  illicit  means  (AFR  205-1) 

(2)  activities  which  will  result  in  a system's  incapability^  to  function  for  a 
period  sufficiently  long  enough  to  insure  its  destruction 
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2.  ORIGINS  OF  THE  SECURITY  'PROBLEM* 


2. 1 SOURCE  OF  SECURITY  REQUIREMENTS 

The  security  'problem'  for  USAF  (and  DoD)  computer  systems  derives  from 
operational  requirements  which  determines  the  uses  of  computers.  The  main 
operational  components  contributing  to  the  security  'problem'  are  the  requirement 
to  share  hardware,  and  the  requirement  to  share  data.  These  two  operational 
requirements  and  the  fact  that  currently  available  computer  systems  do  not  have 
effective  internal  controls  sufficient  to  protect  classified  data  from  unauthorized 
access  by  users  of  the  systems  are  the  setting  for  the  'security  problem. ' 

Under  these  circumstances,  only  if  all  data  is  at  a single  classification  level 
and/or  all  users  of  the  system  have  clearances  greater  than  or  equal  to  the  hipest 
classification  of  the  data,  are  there  no  computer  security  problems,  only  plysical 
and  administrative  security  problems  that  are  generally  well  understood  and  (more 
or  less)  easily  solved. 

Currently  the  state-of-the-art  supports  two  approaches  to  handling  computer 
security  problems.  First,  it  provides  techniques  for  avoiding  the  computer  security 
problem.  These  techniques  developed  over  the  past  25  years  include  dedicated 
computer  systems ; operating  computers  at  a 'systems  hi^'  level  with  all  users 
having  a clearance  at  the  level  of  the  highest  classified  data  processed  by  the  system 
and  the  like.  Secondly,  ad  hoc  security  'features'  or  'enhancements'  are  available 
on  most  maniifacturers  equipment.  The  enhancements  and  features  most  frequently 
provide  control  of  access  to  the  systems,  or  to  system  applications.  The  features 
and  enhancements  may  nominally  permit  some  sharing,  but  their  effectiveness  is 
not  assured.  The  limited  technical  approaches  to  solving  the  computer  security 
problems  (such  as  virtual  machine  systems)  provide  only  limited  sharing,  may 
require  expensive  restructuring  of  programs  and  carry  significant  operating  over- 
head penalties. 
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An  important  impact  of  not  having  internal  compute  security  controls  is 
economic.  All  of  the  methods  for  avoidance  of  security  problems  carry  heavy  cost 
penalties  both  for  procurement  and  for  subsetpient  operations  and  maintenance  of  the 
systems.  Alternate  forms  of  delivery  of  a needed  operatipnal  capability  that  control 
or  bypass  the  security  problems  also  carry  heavy  cost  penalties. 

Lack  of  adequate  internal  security  controls  in  computers  has  a negative 
impact  on  how  systems  are  used.  Typical  qualitative  effects  are  inefficiencies 
due  to  maintaining  redundant  files  because  of  classification  of  some  data;  or  the  need 
to  schedule  (and  reschedule)  use  of  a system  in  order  to  use  a system  at  a single 
classification  level  (at  a time).  In  addition,  lack  of  adequate  internal  security  controls 
increases  the  costs  of  programming  because  of  the  need  to  compensate  for  the  lack 
of  internal  controls.  It  is  noted  that  some  of  the  procurements  planned  for  the  next 
five  years  are  presumed  to  have  the  internal  controls  necessary  and  sufficient  to 
solve  the  security  problem.  It  can  be  stated  categorically  that  it  is  not  evident 
that  any  of  the  maniifacturers  are  independently  pursuing  programs  to  provide  the 
internal  controls  of  the  form  needed  for  the  solution  of  the  DoD  security  problems. 

2. 2 SHARED  HARDWARE  CONSIDERATIONS 

The  shared  hardware  requirement  is  not  a requirement  of  the  function(s)  to 
be  performed  by  a system;  rather  it  is  an  economic  constraint  on  how  data  process- 
ing is  delivered  to  a set  of  users.  Basically,  shared  hardware  arises  from  the  need 
or  desire  to  get  the  maximum  utilization  of  a complex  set  of  hardware  through  time- 

P 

division-multiplexing  of  CPU's  and  I/O  channels  and  devices  using  the  technique  of 
multi -programming.  In  some  of  the  more  advanced  uses  Of  shared  hardware,  the 
basic  workload  is  event-driven  and  cannot  be  scheduled.  (An  example  is  the  Military 
Airlift  Command;  MAIRS  air  movement  reports  system.^)  As  events  occur  to 

I 

which  users  of  the  system  must  respond,  the  programs  and  data  bases  used  in  effect- 
ing the  response  must  be  immediately  available  for  use.  This  generally  means  on- 
line, awaiting  activation. 
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In  the  case  of  shared  hardware,  there  is  no  logical  relationship  between  the 
programs  and  data  involved  in  one  job,  and  the  programs  and  data  for  another.  The 
co-residence  of  the  jobs  is  coincidental  and  not  an  integral  requirement  for  operating. 
Except  for  whatever  priorities  that  arise  due  to  requirements  for  effecting  control  of 
military  forces,  the  data  processing  requirements  of  the  users  of  shared  hardware 
can  be  met  with  varying  degrees  of  simplicity. 

The  risks  of  sharing  hardware  alone  are  the  same  risks  associated  with  the 
sharing  of  data;  that  the  internal  controls  provided  by  the  operating  system  are  not 
sufficient  to  assure  isolation  of  one  user  from  another.  The  consequences  of  not 
being  able  to  demonstrate  such  adequate  controls  is  that  the  sharing  of  hardware  is 
constrained.  Whether  or  not  this  is  more  than  an  inconvenience  depends  on  the 
nature  of  the  installation. 

In  general,  the  constraint  means  the  hardware  is  serially  reusable  by  different 
clearance  levels  after  an  appropriate  process  of  "sanitization"  takes  place.  Other 
methods  available  for  sharing  hardware  are  discussed  below. 


2. 3 COSTS  ASSOCIATED  WITH  SECURITY  PROBLEMS  OF  SHARED  HARDWARE 


The  case  of  shared  hardware  presents  an  interesting  conundrum.  The  impetus 
for  sharing  hardware  is  clearly  economic.  The  cost  of  a single  system  capable  of 
processing  the  workload  of  N separate  systems  is  much  less  than  N times  the  cost  of 
one  of  the  smaller  capacity  systems.  This  accepted  ’truth’  has  been  formalized  into 
’Groch’s  law"  which  states  that  the  ratio  of  the  (computing)  power  (i.  e.  their  ’capacity’ 
in  some  sense)  of  two  computers  is  approximately  equal  to  the  ratio  of  their  sell 
price  squared. 


Thus, 


where  P is  a measure  of  power  and  C is  cost. 


If  one  always  compares  machines  to  some  standard  base  machine  (undefined),  then 

2 

P = KC  ; where  K = ~2  • ^ proportionality  constant. 

A A Cg 
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In  an  empirical  study  that  covers  computers  available  through  1968, 

Dr.  Kenneth  E.  Knight  (KNl  66,  KNI  68)  found  that  the  conventional  expression  of 
Groch's  law  Is  very  conservative  and  that  one  could  use: 

2 5 

P = K(C)  ' for  scientific  systems  and 

3 1 

P = K(C)  ‘ for  commercial  systems. 

I 

What  this  demonstrates  is  that  there  is  a sound  economic  basis  for  the  notion  of 
acquiring  high  capacity  systems  and  sharing  the  hardware  among  several  users. 

For  many  users.  If  not  most  — the  economic  benefits  are  sufficient  reason 

for  sharing  hardware.  Such  sharing  is  economic  as  long  as  there  are  no  artificial 

I 

conditions  imposed.  I 

If  the  hardware  must  be  shared  among  groups  of  users  of  different  clearance 
levels,  then  the  costs  of  operating  shared  hardware  are  increased  by  the  time  needed 

to  ’sanitize'  a system  preparing  it  for  use  by  lower  clear^  users.  There  is  also 

a 'lost  opportunity'  cost  that  cannot  be  easily  measured  that  is  associated  with  not 
being  able  to  use  a computer  outside  of  scheduled  times.  These  increased  costs  erode 
the  cost  benefit  ratio  that  was  sought  by  hardware  sharing  in  the  first  place.  Depending 
on  the  options  available,  and  to  some  extent  the  environment  in  which  sharing  is  to 
take  place,  the  security  related  costs  of  operating  shared  hardware  can  Increase 

until  it  is  no  longer  justified  to  share  the  hardware,  and  separate  machines  are 

! 

obtained  to  satisfy  the  security  requirements. 

i 

I 

2.4  SHARED  DATA  CONSIDERATIONS  i 

I 

Of  rapidly  increasing  significance  in  terms  of  the  number  of  installations/sites 
involved  is  the  operational  requirement  to  share  data.  Uiilike  shared  hardware, 
whose  operational  origins  arise  in  the  need  to  perform  data  processing  on  demand, 
and  whose  justification  is  given  in  terms  of  economics,  the  requirement  for  shared 
data  comes  about  due  to  the  increasing  interdependence  of  military  functions,  and  the 
integration  of  aKJropriate  military  components  into  more  mission  oriented  commands 
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(e.  g.  Unified  and  Specified  commands),  and  the  need  to  rapidly  restructure  military 
organization  to  meet  specific  and  often  immediate  problems  in  the  conduct  of  military 
operations.  In  this  kind  of  environment,  the  ’’local"  data  maintained  individual 
subordinate  commanders  on  material  and  personnel  readiness,  logistics,  etc. , is 
of  vital  Importance  to  both  superior  commands,  and  in  some  instances  to  ecjual  level 
lateral  commands.  Regardless  of  the  reasons,  the  recjuirements  for  sharing  data 
have  increased  significantly  over  the  past  10  years,  especially  in  the  Command  and 
Control  area  (e.  g.  World  Wide  Military  Command  and  Control  System,  WWMCCS). 

Although  initial  data  sharing  is  taking  place  between  groups  of  homogeneously 
cleared  users,  there  are  already  instances  where  the  data  sharing  requirement 
involves  classified  and  unclassified  data  as  well  as  cleared  and  uncleared  users. 

(As  an  example,  see  the  MAIRS  system  of  the  Military  Airlift  Command  (MAC.)) 

Simple  isolation  technicjues  are  a conceptual  approach  only  suitable  for 
solving  the  problem  of  shared  hardware.  The  data  and  program  sharing  requirement 
involves  a more  complex  and  intimate  access  capability  than  that  required  for  hard- 
ware sharing. 

The  primary  aspect  of  shared  data  is  that  there  is  a logical  relationship 
between  the  program  and  data  involved  in  one  job,  and  the  programs  and  data  Involved 
in  another. 

In  order  to  provide  for  sharing  of  data  (and  in  general,  programs)  between 
dissimilarly  cleared  users,  it  is  necessary  to  show  that  the  logical  internal  controls 
built  in  a system  are  sufficient  to  contain  the  lesser  cleared  user  regardless  of  what 
’malicious’  actions  he  may  attempt  to  take  against  the  system  using  his  (authorized) 
user  capaDiiines. 

Note  that  this  requirement  is  more  severe  than  that  for  simple  hardware 
sharing  because  of  the  numerous  internal  interfaces  that  must  exist  to  permit  com- 
munication between  programs  about  the  data  (and  other  programs)  being  shared. 

Thus,  it  is  necessary  to  maintain  a general  capability  for  isolation  between  programs, 
yet  permit  (controlled)  openings  in  the  isolation  to  communicate  between  programs 
about  shared  resources  and  to  provide  non-scheduled  sharing  of  the  resource  directly. 
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Because  data  sharing  is  an  emerging  problem,  the  costs  associated  with  its 
solution  (or  lack  of  it)  are  mostly  future  costs.  It  is  noteid  that  in  the  anticipated 
Support  of  Air  Force  ADP  Requirements  through  the  1980's  (SADPR  85)  procurement, 

the  technical  solution  to  the  security  problem  of  sharing  data  among  dissimilarly 

I 

cleared  individuals  is  a requirement. 

Technical  approaches  to  providing  security  for  sharing  classified  data  involves 
providing  a logical  mechanism  to  recognize  (in  a computer)  the  classification  of  data 

(programs,  files,  etc. ),  and  compare  the  classification  to  the  clearance  of  the  user 

1 

(program)  attempting  the  access  (for  each  access)  in  order  to  determine  whether  the 
attempted  access  is  authorized.  This  logical  mechanism  is  known  as  a reference 
monitor.  In  addition,  secure  sharing  of  classified  data  requires  the  ability  to  isolate 
the  reference  monitor  function  from  all  users,  and  each  user  from  all  others.  While 
the  ability  to  provide  isolation  is  an  int^ral  part  of  data  sharing,  it  is  of  itself 
insufficient  to  provide  the  capability  needed. 

The  "spontaneous"  development  of  protection  mecl^isms  on  the  part  of 
manufacturers  has  thus  far  resulted  in  mechanisms,  that  even  if  implemented 
correctly,  will  provide  limited  (non -formal)  need-to-know  controls,  and  some  effec- 
tive system  access  controls,  e.  g.  log-on  passwords.  These  controls  are  not  svifficient 
in  themselves  in  buiiding  a logical  internal  security  system  such  as  is  n^d^  to  process 

classifie'S' information.'  j 

i 

I 

f 

2. 5 IMPACT  ON  FUTURE  SYSTEMS  ' 

The  cost  impact  on  future  systems  of  not  pursuing  the  development  of  certifiable 
internal  controls  can  rapidly  disaKJear  in  a fog  of  generalities  about  reduced  'capability' 
(how  measured?),  lowered  'operational  effectiveness',  and  the  like.  While  it  is 
evident  that  such  impacts  will  undoubtedly  be  felt,  it  is  less  evident  how  it  can  be 
measured. 
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For  the  near  future  (5-10  years),  it  impossible  to  assess  the  economic  (but  not 
operational)  impact  by  evaluating  the  incremental  costs  due  to  avoidance  of  security 
problems  and  costs  associated  with  various  technical  approaches  now  being  pursued. 

2.6  TECHNICAL  APPROACHES  TO  COMPUTER  SECURITY 

As  noted  above,  there  are  basically  two  approaches  to  computer  security; 
problem  avoidance  and  problem  solution.  Among  the  former  techniques  are  included 
dedicated  systems,  "system  high"  operation,  periods  processing  (scheduled  operations) 
and  the  like.  Among  the  latter  are  virtual  machine  monitor  (VMM)  designs,  attempted 
retrofit  of  existing  systems,  high  "Integrity"  systems,  and  certified  systems. 

2.  7 PROBLEM  AVOIDANCE  TECHNIQUES 

There  are  basically  three  security  problem  avoidance  techniques  in  use  today. 
These  are  discussed  below,  along  with  their  limitations. 

2. 7. 1 Dedicated  Systems 

This  technique  of  avoidance  of  computer  security  problems  merely 
collects  all  classified  processing  of  a single  level  in  (on)  one  machine, 
and  all  other  processing  in  one  or  more  other  systems.  The  most  common 
application  of  this  avoidance  technique  is  in  connection  with  (compartmented) 
intelligence  support  systems  co-located  with  the  command  and  control  centers  they 
are  supporting.  It  may  well  be  that  the  command  and  control  application  and  the 
intelligence  support  system  require  the  computing  capability  of  separate  machines; 
however,  such  requirements  are  currently  never  decided  on  their  functional  merits, 
but  are  driven  by  the  securlly  requirements. 
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The  disadvantage  of  the  dedicated  system  technique  is  that  it  is  a mechanism 
for  sharing  of  hardware.  It  does  nothing  for  sharing  data} (except  among  like-cleared 
users). 

2.7.2  System  High  Operation 

This  technique  avoids  computer  security  problems  by  defining  them  out  of 
existence.  The  computer  system  is  operated  as  though  all  programs  and  data  were 
of  the  same  highest  clearance.  All  users  of  the  system  are  cleared  to  this  level  and 
given  an  implicit  need-to-know,  and  voila  I — no  computer  security  problems.  Since 
in  most  instances  where  this  technique  is  used,  processing  at  the  highest  classification 
is  rare,  the  bulk  of  the  work  load  is  of  lower  classification  down  to  and  including 
Unclassified.  Security  proprieties  are  met  by  placing  banner  sheets  on  output  warning 
that  the  data  was  processed  on  a system  operating  at  the  "X"  level,  and  that  the 
printout  should  be  reviewed  by  the  user  and  a determination  made  of  the  actual 
classification.  This  avoidance  technique  is  quite  effective  as  long  as  the  people  who 
have  to  be  cleared  to  'system  high'  are  not  too  numerous,  (the  probability  of  at  least 
one  'malicious'  user  increases  as  the  number  of  users  increase)  and  the  cost  of  such 
clearances  can  be  submerged  in  the  general  site  administrative  costs. 

2. 7. 3 Scheduled  Operations  (Periods  Processing)  ; 

I 

This  technique  avoids  computer  security  problems  by  scheduling  use  of  a 
system  among  users  on  the  basis  of  the  clearance  of  the  users  and  the  classification 
of  the  jobs.  In  effect,  it  allocates  a consecutive  portion  of  the  available  time  to 
unclassified  processing  followed  by  a portion  for  secret  processing,  etc.  Each 

I 

aUocated  portion  (period)  is  dedicated  to  processing  at  a single  classification/clear- 
ance  level  only.  On  changing  from  one  level  to  another,  the  computer  system  must 
be  essentially  restarted,  with  a fresh  copy  of  the  operating  system,  and  only  data 
and  program  files  of  the  new  classification  level.  (This  Change  of  level  is  referred 
to  as  a 'color  change'. ) 
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As  a technique,  scheduled  processing  is  relatively  easy  to  implement.  Its 
major  drawback  is  the  time  it  takes  to  dismount  the  media  containing  the  'environment’ 
at  one  classification  level,  and  mount  media  containing  the  new  level.  Further,  as  a 
technique  it  only  permits  serially  reusable  hardware  sharing. 

A variation  of  this  technique,  called  Job  Stream  Separator  (JSS)  (SCH  75)  is 
designed  to  automate  the  changeover  process  (from  one  classification  level  to  another). 
JSS  also  can  provide  a means  of  accumulating  jobs  from  remote  terminals,  running 
them  together  in  classification  batches.  JSS  is  usually  thought  of  in  terms  of  a mini 
computer  acting  as  a controller,  with  access  to  the  real  memory  of  the  controlled 
system.  Its  major  advantage  is  that  it  can  (most  reliably)  control  the  transfer  of 
'environments'  between  a JSS-local  storage  to  the  controlled  system.  It's  major 
disadvantage  is  the  cost  of  hardware,  and  the  time  it  takes  to  copy  the  entire  environ- 
ment from  one  medium  to  another. 

2. 8 PROBLEM  SOLUTIONS 

There  are  basically  only  two  viable  approaches  to  solutions  of  the  computer 
security  problem(s).  These  are  to  provide  logical  controls  for  hardware  sharing, 
and  logical  controls  for  data  sharing.  The  former  includes  VMM,  and  mini-computer 
networks.  The  latter  includes  the  security  kernel  work,  capability  systems  and 
'features. ' 

2.8.1  Virtual  Machine  Monitors 

The  virtual  machine  monitor  (VMM)  is  an  attractive  approach  to  the  sharing  of 
hardware.  A niunber  of  papers  have  been  written  describing  its  objective(s)  and 
mechanisms,  and  several  systems  have  been  built  and  operated  (POP  74).  The 
basic  technique  is  to  design  and  implement  a simple  operating  system  that  uses  the 
technique  of  multiprogramming  to  make  available  to  each  user  an  interface  to  the 
computer  that  is  fimctionally  equivalent  to  a complete  "raw"  or  "bare"  machine  in 
which  there  are  no  restrictions  on  the  type  or  category  of  instructions  that  can  be 
executed.  In  effect,  each  user  has  his  own  independent  machine  with  no  restrictions  on 
how  he  can  use  it. 
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The  operating  system  that  creates  this  environment  is  known  as  the  virtual 
machine  monitor  (VMM)  and  consists  primarily  of  progratns  that  provide  interpretive 
execution  of  privileged  instructions  that  are  trapped  to  it  and  programs  that  control 
the  time-multiplexing  of  the  real  machine  to  give  the  effect  of  many  virtual  machines. 
In  addition,  a major  portion  of  VMM  is  devoted  to  interpreting  l/O  (for  integrity  and 
correct  operation  in/on  a VM)  and  simulating  to  the  user  machine  controls  such  as 
interrupts,  error  indications  and  the  like. 

The  secvurity  of  the  VMM  rests  in  the  fact  that  each  user  has  a functionally 
complete  machine  of  his  own  in  which  it  doesn't  matter  whether  the  instructions  being 
executed  are  privileged  or  not.  In  such  a case,  the  lack  of  internal  controls  is 
of  considerably  less  security  importance  since  in  the  extreme,  each  user  can  be 
supplied  with  his  own  copy  of  the  operating  system.  The  VMM  approach  attempts 
to  Isolate  users,  one  from  another  and  provides  a flexible  framework  for  secure 
hardware  sharing.  The  major  disadvantage  to  a VMM  is  that  secure  data  sharing 
(of  any  kind)  must  be  done  externally.  Such  sharing  is  at  least  inefficient  and  may 
be  ineffective.  Since  VMMs  are  just  a form  of  operating  jsystem,  they  have  security 
problems  similar  to  those  for  ordinary  operating  systems  in  that  it  may  be  possible 
to  penetrate  the  VMM  to  destroy  the  effectiveness  of  the  isolation  (ATT,  1976). 

2.8.2  Certifiably  Secure  Systems 

Certifiably  Secure  Systems  have  as  their  objective  demonstrably  secure  data 
sharing.  These  developments  include,  as  an  Integral  part  of  secure  data  sharing, 
the  ability  to  share  hardware  securely  as  well.  As  a consequence,  it  is  a general 
solution  to  the  security  problems  that  arise  from  sharing  of  any  computer  resource. 

The  af^jroach  to  obtaining  certifiably  secure  systems  requires  a formal 
definition  of  what  secure  data  sharing  means,  including  definitions  of  what  data  or 

programs  are  being  protected,  what  the  protection  encompasses,  and  how  the  com- 

I 

puter  will  be  able  to  recognize  data  requiring  protection.  | 

The  general  schema  for  producing  a formal  security  system  is  described  in 
(BUR 74).  Briefly,  it  involves  the  concept  that  in  a computer  there  exists  a single 
centralized  mechanism  that  validates  the  access  rights  of  a process  on  each  and 
every  attempt  to  reference  any  object  (data,  program,  device,  etc.);  that  the 
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mechanism  Is  protected  from  alteration  or  tampering  by  the  rest  of  the  system’s 
users;  and  that  it  is  small  enoiigh  to  be  formally  proven  correct  (AND  72).  This 
mechanism  is  referred  to  as  a reference  monitor. 

The  certifiable  system  appears  to  offer  the  best  general  solution  to  the  sharing 
problem  for  any  future  procurements.  It  can  be  used  to  control  sharing  of  prc^rams 
and  data  or  as  a virtual  system  effecting  hardware  sharing. 

2.8.3  Capability  Systems 

Another  approach  to  obtaining  secure  data  sharing  is  pursued  under  the  name 
'capability  system. ' Essentially,  the  capability  systems  permit  the  owner  of  an 
object  (program,  data  set,  etc. ) to  pass  a key  (the  'capability')  to  another  user  if  the 
owner  wants  the  second  party  to  use/or  share)  the  object.  The  internal  mechanisms 
that  support  such  a design  aKJroach  are  similar  to  those  needed  for  certifiably  secure 
systems.  Nevertheless,  the  capability  systems  appear  to  be  suitable  for  easily 
implementing  a discretionary  (1.  e.  one  where  each  user  decides  for  himself  with 
whom  he  shares  objects  imder  his  control)  security  policy  only.  Such  discretionary 
sharing  is  not  adequate  for  DoD  needs  because  it  relies  on  each  user  doing  the  right 
thing  about  granting  access  to  classified  information  In  his  possession.  In  effect,  each 
user  would  have  to  be  trusted  to  follow  the  rules  of  handling  classified  data  correctly. 

The  actual  U.  S.  government  classification  system  is  more  authoritarian  (and  less  trusting) 
than  that.  More  recently,  it  has  been  shown  that  it  is  possible  conceptually  to  build 
a certifiable  system  using  capabilities.  Such  a system  severely  restricts  what 
capabilities  were  intended  for,  and  makes  it  necessary  to  prove  the  correct  design 
and  implementation  of  the  entire  operating  system.  Because  they  are  at  an  early 
stage  of  development,  capabiliiy  systems  are  not  considered  further. 

2.8.4  Security  'Features' 

The  main  difference  between  the  formally  specified  systems  and  systems  with 
'security  features'  lies  in  the  completeness  and  effectiveness  of  the  controls  provided. 

The  formally  specified  system  is  based  on  a precise  (mathematical)  definition  of 
'security'  drawn  from  a model  of  the  DoD  security  systems.  The  formal  system 
relates  the  design  elements  used  to  specific  parts  of  the  formal  definition  (e.  g.  security. 
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rules  that  must  be  followed  in  manupulating  various  program  and  data  objects  in  an 
application).  The  'features'  approach  on  the  other  hand,  represents  the  best  intuitive 
aHJroach  on  the  part  of  designers  to  overcome  known  weaknesses  in  existing  systertB  . 
Because  'features'  are  informal  (ad  hoc),  there  is  no  way  to  assure  their  relevance 
to  security  in  a system,  or  their  'completeness'  (in  a mathematical  sense). 

In  systems  with  security  'features',  it  appears  that  the  features  are  there  to 
be  used  if  a user  decides  to  protect  some  data  (discretionary  security  policy).  The 
kind  of  sharing  evisioned  by  the  designers  of  the  'features'  is  pre-planned  and 
generally  limited  by  the  ability  of  a user  to  remember  passwords,  (a  favorite  device 
to  authorize  sharing).  The  'features'  approach  has  no  easy  way  of  recognizing  a 
global  authorization  (e.  g.  Secret  Clearance)  and  applying  it  to  all  objects  under  its 

control.  Whether  or  not  this  is  a fatal  liability  in  any  specific  instance  depends 

' » 

almost  entirely  on  the  environment  in  which  the  systems  ^re  to  be  used  and  the  type 

of  processing  to  be  done.  In  general,  the  more  sharing  of  programs  and  data  is  an 
objective  of  the  system,  the  weaker  the  'features'  control  of  authorization  and  access 
becomes. 
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3.  METHODOLOGY  FOR  EVALUATING  SECURriY  COSTS 


3. 1 INTRODUCTION 

In  general,  the  method  followed  for  evaluating  security  costs  is  to  identify  for 
each  of  the  alternative  security  techniques,  the  Important  elements  of  cost  associated 
with  using  the  technique.  The  costs  are  given  in  terms  of  the  base  cost  of  a computer 
or  system  to  which  the  technique  is  applied.  In  applying  this  method  it  is  necessary  to 
determine  the  number  and  costs  of  each  computer  or  system  which  is  the  subject  of  one 
of  the  avoidance  or  solution  techniques  discussed.  This  section  is  merely  concerned 
with  development  of  the  methodology.  An  analysis  for  USAF  systems  is  presented  in 
Section  4.  The  following  sections  individually  address  each  of  the  six  major  classes  of 
alternative  security  techniques:  dedicated  processing,  system  high  operations,  periods 
processing,  job  stream  separators,  virtual  machines,  and  certifiable  systems. 

3.2  DEDICATED  PROCESSING 

Dedicated  processing  involves  using  a separate  computer  system  for  classified 
processing  r^ardless  of  the  actual  work  requirement  of  the  installation.  In  order  to 
understand  what  is  involved,  a formal  definition  of  dedicated  processing  will  be  given. 

First,  a total  installation  workload,  W is  defined  consisting  of  two  parts; 
classified  work,  w and  unclassified  work,  w . It  is  assumed  that  there  exists  a 
processing  capability  (capacity)  P involving  shared  hardware  such  that 

W < P (That  is,  the  total  Installation  workload  could  be  supported  on  an 
integrated  shared  hardware  base  except  for  security  considerations. ) 
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There  are  four  cases  of  Interest  shown  below:  I 
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b) 

c) 
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in  the  first  three  cases,  is  greater  than  the  actual  processing  capacity 

needed,  only  in  the  last  case  are  the  two  processors  fully  utilized. 

A dedicated  processing  system  is  said  to  exist  if  there  exists  individual 
(separate)  systems  with  a processing  capability  p such  that 

and 

< P 

The  problem  with  this  formal  definition  is  the  difficulty  in  measuring  W and 

I 

P for  most  installations,  (i.  e.  covering  such  cases  as  w i = p , w < p where 

u u c c 

p + p < P).  Excess  processing  capacity  includes  processing  elements  and  perij^eral 
u c 

devices  (required  because  components  exist  only  in  int^ral  units)  as  well  as  excess 
primary  and  secondary  storage  required  because  of  duplicate  copies  of  programs  and 
data  at  each  level.  I 
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c ~ 


w 


and  p 


u 
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What  we  are  interested  in,  ultimately,  is  the  cost  of  the  fraction  of  extra 
(unneeded)  processing  capacity  involved  in  segregating  classified  from  unclassified 
processing. 

(actual  capacity) 

(theoretical  capacity) 

is  the  fraction  of  capacity  not  actually  needed. 

is  nearly  equal  to  P the  fraction  will  be  small; 

In  others,  where  P is  much  larger  than  P , the  fraction  will  be  much  larger.  In 

& t 

general,  it  would  be  expected  that  the  distribution  of  this  fraction  is  over  the  range 
0 to  50%,  (i.  e. , it  is  expected  that  virtually  no  installations  will  have  in  excess  of 
50%  over-capacity  due  to  security  avoidance  and  most  will  be  less).  There  is  no 
data  available  to  support  this  estimate.  It  is  only  proposed  as  a 'reasonable*  estimate 
and  remains  to  be  validated. 

For  the  purpose  of  this  study,  we  will  use  a figure  of  25%  as  the  average 
fraction  of  over-capacity  due  to  the  security  avoidance  technique  of  dedicated  pro- 
cessing where  it  is  the  primary  security  avoidance  method.  (This  impilies  that  the 
real  value  is  between  0 and  50%,  and  the  average  of  25%  will  be  satisfactory  for  this 

estimate. ) 

The  cost  of  the  over-capacity  is  directly  proportional  to  the  total  cost  of  the 
system.  Since  we  are  interested  in  the  macro  economic  effects  of  various  security 
avoidance  methods,  any  errors  in  the  basis  for  this  estimate  are  ejq)ect^  to  canclsl 
over  any  reasonable "nunibeFdf  syitems. 

In  general,  it  is  expected  that  a system  of  capacity  P can  be  obtained  from 
any  manufacturer  especially  since  nearly  all  manufacturers  provide  the  capability  to 
configure  multi -processor  systems,  and  most  support  multi -processing  with  their 
software. 


Letting  p + p = P 
^ ^^u  *^0  a 


and 


Pt  = P 


^a-Pt 

Then  1 = F 

a 

In  some  systems,  where  P 
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i. 


3. 3 SYSTEM  HIGH  OPERATION(S) 

Costs  associated  with  ^stem  High  operations  are  attributable  to  the  direct 
costs  associated  with  obtaining  clearances  to  the  level  necessary. 


number  of  users  of  a system 

number  initially  cleared  to  highest  level 

number  requiring  clearances 

cost  of  obtaining  one  clearance  ( $300  - $1,000  or  higher) 
retirement  (replacement)  rate  of  users 


Let  N 


Let  M 


then  (N-M) 
Let  C 
LetQ 


Then  initial  cost  is  (N-M)  x C dollars  and  annual  replacement  cost  is  QN  x C 
per  installation. 

The  latter  figure  assumes  (lacking  any  detailed  information)  that  replacements 
will  already  have  clearances  in  proportion  to  those  that  existed  among  the  personnel 
in  the  initial  application  of  the  technique. 

A significant  cost  which  is  not  quantified  nor  included  in  this  study  is  the  cost 
to  manually  review  and  downgrade  information  that  is  in  fact  at  a level  less  than 
system  hi^. 

174  SCHEDULED  OPERATIONS  (PERIODS  PROCESSING) 

I 

The  primary  cost  of  scheduled  operations  is  the  time  (capacity)  lost  due  to 
changing  classification  levels.  The  cost  of  change  over  can  be  developed  as  follows; 


Let  U 


total  time  utilized  for  work;  no  change  of  level 


Let  t 


time  to  effect  1 change  of  level 

number  of  changes  per  day  (generally  2;  one  up,  one  back) 
cost  of  equipment  | 


Let  N 


Let  C 
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then 


available  time  = U - Nt 

The  percent  reduction  in  effective  utilization  = 1 - , and  the  cost  of 

/ U -N  \ U 

reduced  utilization  is  C(  1 ■ - j 

This  can  also  be  likened  to  a hidden  increase  in  dollar  cost  of  a system,  and  is  so 
treated. 

3.  5 JOB  STREAM  SEPARATOR  (JSS) 

The  costs  of  this  technique  are  akin  to  the  periods  processing  costs.  However, 
there  are  additional  development  and  equipment  costs  associated  with  this  approach. 


Let  D 

= 

development  cost  of  JSS 

Let  E 

= 

per-system  special  equipment  costs 

Let  I 

= 

number  of  systems  where  JSS  would  be  applied 

D 

I 

= 

apportioned  development  cost 

Let  U 

= 

total  time  utilized  for  work;  no  change  of  levels 

Let  t 

= 

time  to  effect  1 level  change  with  JSS 

Let  N 

= 

number  of  changes/peribd  U 

Let  C 

= 

cost  of  main  equipment. 

then  % reduction  in  effective  utilization  of  a system  = 1 - 

Cost  of  JSS  approach: 

I X E + - + _ (U  - Nt)  ^ ^ 

3.6  VM  APPROACH 

The  cost  of  a secure  VM  system  is  the  development  cost  of  the  initial  secure 
VMM  for  a given  system  (e.g.  a VMM  for  IBM  370/158;  or  VMM  for  HIS  6000  systems) 
amortized  over  the  number  of  systems  to  which  it  is  applied,  and  the  cost  of  hardware 
modifications  to  condition  a system  for  VMM  operation.  The  cost  of  hardware 
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modifications  is  not  known  precisely.  Estimates  based  on  several  current  systems 
range  from  5 to  10%  of  the  base  cost  of  a system.  This  c6st  is  for  hardware  retrofit. 
Whether  there  will  be  any  significant  cost  charge  as  the  hardware  features  needed  to 
support  VMM  development  are  designed  into  new  systems  remains  to  be  seen. 

An  expression  of  VMM  cost  is  given  below: 


then 


Let  D 

Let  I 

D 

I 

Let  E 
Let  C 
Let  OH 


development  cost  for  a VMM 

number  of  systems  which  can  support  VMM  operation 

apportioned  develc^ment  cost 

per  system  hardware  modification  cost  (fix-kit) 
cost  of  equipment 

% of  a system  capacity  devoted  to  overhead  in 
controlling  VM's 


then  the  per-system  cost  of  the  VM  approach 
= E + Y + OH  X (C  + E) 


3.  7 CERTIFIABLE  SYSTEMS 

The  costs  of  certifiable  are  the  development  costs,  and  the  overhead  of 
operating  the  secure  system.  While  it  is  expected  that  there  would  be  some  modifica- 
tion of  system  architecture  (in  some  equipments)  to  achieve  a suitable  base  for 
certifiable  systems,  it  is  difficult  at  best  to  identify  the  cost  of  this  change  because 
the  architecture  changes  are  not  exclusively  for  security  reasons  but  are  generally 
designed  to  yield  direct  benefits  of  other  kinds.  Under  any  circumstance  it  is 
expected  that  hardware  costs  for  certifiable  systems  will:  be  considerably  less  than 
15%  of  the  cost  of  a system  which  is  not  conditioned  for  certifiable  systems. 


Let  D 
Let  I 
Let  C 
Let  OH 

Then  the  per-system  cost  of  a certified  system  will  be 


development  costs 

number  of  systems  over  which  development  is  applied 
cost  of  a system  without  certifiable  system  conditioning 
% of  capacity  of  a system  devoted  to  security  overhead 


Y + .15C  + OH(1.15C) 
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4.  APPLICATION  OF  METHODOLOGY  TO  USAF  COMPUTER  SYSTEMS 


4. 1 INTRODUCTION 

In  an  attempt  to  obtain  a better  estimate  of  costs  of  computer  security,  the 
methodology  of  Section  3 was  applied  to  USAF  computer  holdings. 

The  USAF  was  chosen  as  the  subject  of  the  methodology  because  the  USAF 
is  a major  user  of  computers.  Its  use  includes  supporting  comniand  and  control, 
and  communications  (CCIP85),  and  general  management  functions  (CCI72j;  the 
USAF  has  taken  a lead  in  development  of  certifiable  secure  systems,  and  the  results  of 
this  analysis  are  relevant  to  that  program;  and  to  provide  baseline  costs  in  an  area 
of  surprising  complexity. 

The  only  readily  available  cost  data  on  computers  is  that  in  "Inventory  of 
Automatic  Data  Processing  Equipment  in  the  United  States  Government  for  Fiscal 
Year  1974"  (INV  74).  This  particular  work  is  published  annually  by  GSA  as  a result 
of  a requirement  of  PL89-306  (Brooks  Bill).  For  a discussion  of  it  as  a data  source, 
see  (FIS  74). 

The  Inventory  contains  data  on  two  kinds  of  systems;  General  Management 
Classification  (GMC)  and  Special  Management  Classification  (SMC).  The  former 
are  pretty  much  what  one  would  expect  from  the  name.  The  latter  include  control 
systems,  mobile  systems  (mounted  in  ships,  aircraft  or  vans)  and  classified  systems 
whose  physical  location  is  classified.  The  SMC  presents  such  a mixed  bag,  it  was 
decided  to  be  conservative  and  consider  only  the  GMC  systems.  In  addition,  GMC 
systems  are  more  of  Ihe  kind  to  be  shared,  or  on  which  data  sharing  would  more 
likely  take  place.  One  generally  expects  to  find  control  systems  in  a single  classi- 
fication environment  or  performing  a function  that  does  not  produce  classified  data 
(althou^  the  fimction  itself  may  require  protection).  ^ 


While  some  fraction  of  the  SMC  systems  could  have  been  included  in  the  analysis, 
there  is  no  consistent  basis  for  selecting  either  the  systems  or  the  fraction.  As 
a result,  the  analysis  is  applied  to  fewer  systems  than  are  believed  to  be  affected 
by  security  considerations. 
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Having  decided  to  concentrate  on  GMC  systems,  these  were  examined,  and 
found  to  include  both  owned  and  leased  systems,  as  well  as  a variety  of  small  systems 
such  as  PDP  ll's  and  Burroughs  263's. 

4. 2 STANDARDIZING  THE  DATA 

In  1974  the  USAF  had  1577  CPU’s  (1247  owned  (73%)  and  330  leased  (26%))  in 
1349  systems.  ^ Of  the  1349  systems,  923  systems  were  GMC  (68%)  and  426  were 
SMC  (32%),  (Figure  4-1). 

The  data  from  the  inventory  is  not  particularly  well  suited  for  a study  of  this 
kind;  since  it  tends  to  obscure  relations  rather  than  clarify  them.  Thus,  we  find 
data  on  CPU’s  leased  and  owned  with  no  corresponding  data  on  systems.  In  another 
area  we  find  aggregate  data  on  the  value  of  GMC  systems  by  purchase  price  category 
without  regard  for  whether  the  systems  are  leased  or  owned. 

Recognizing  the  deficiencies  of  using  the  data  in  the  Inventory,  special  runs 
were  requested  from  GSA  to  obtain  data  believed  needed  for  this  study.  While  the 
runs  produced  more  useful  breakdowns  they  did  not  adequately  distinguish  between 
leased  and  owned  systems  or  provide  data  on  the  average  annual  cost  of  systems  or 
CPU’s  taking  into  account  the  different  payout  rates  one  might  assume  depending  on 
whether  the  system  is  leased  or  owned.  , 

I 

To  overcome  these  difficulties  and  to  produce  the  data  needed  for  later  parts 
of  the  study,  the  data  available  was  used  to  provide  estimates  of  a systems  and 

CPU’s  costs  on  a yearly  basis.  It  is  further  noted  that  the  conclusions  and  results 

! 

of  this  study  are  not  highly  sensitive  to  the  precise  values  used  in  these  estimates. 

Since  the  inventory  data  is  for  both  GMC  and  SMC  systems,  and  our  interest 

I 

is  primarily  in  GMC  systems,  it  has  been  assumed  that  the  distribution  of  the  number 

2 

of  systems  in  each  category  (SMC,  GMC)  is  in  proportion  to  the  totals  923/1349  , 
(68%)  GMC  systems  and  426/1349,  (31%)  SMC  systems.  In  the  case  of  CPU’s,  we 

^ All  data  from  (INV  74)  unless  otherwise  noted 
2 

See  Table  1 (INV  74),  Summary 
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Figure  4-1.  Distribution  of  USAF  Computer  Holdings,  1974 


assumed  the  distribution  is  proportional  to  the  totals  1022/1577  (64%)  GMC  CPU's 
and  555/1577  (35%)  SMC  CPU's. 

We  have  data  giving  the  total  number  of  both  GMC  and  SMC  systems  in  each  of 
several  purchase  price  categories.  Since,  SMC  systems  are  not  considered  in  this 
analysis,  it  is  necessary  to  separate  as  much  as  possible  the  SMC  data  from  the 
totals.  If  we  assume  that  the  proportion  of  GMC  and  SMC  systems  is  tbe  same  for 
each  price  category,  then  multiplying  each  entry  by  the  rate  for  GMC  systems  will 
give  the  desired  numbers. 


Total 

Number  of 

GMC  + SMC 

Systems  (x68.4%) 

Number  of  GMC 
Systems 

Purchase  Price 
, Category  ($) 

218 

149 

1 

0 - 50K 

329 

225 

50  - 200K 

408 

279 

200K  - 500K 

213 

146 

500K  - 1.  5M 

181 

124 

1.5M 

1349 

923 

Table  4-1.  Derivation  of  Number  of  GMC  Systems 
by  Purchase  Price  Category 

The  purchase  price  category  of  systems  corresponds  to  those  shown  in  Chart 
8 of  the  Inventory.  We  are  interested  in  the  average  purchase  price  per  category 
which  we  will  take  simply  as  the  total  dollar  value  shown  divided  by  the  total  number 
of  systems  in  the  category.  Small  systems  (less  than  $50, 000  purchase  price)  were 
not  considered,  since  these  are  expected  to  be  used  primarily  in  single  classification 
level  environments;  as  a result  some  systems  affected  by  security  considerations  will 
not  be  included  in  this  analysis. 

The  average  purchase  price  of  each  category  (based  on  Government -wide  totals 
(omitting  the  small  system  cat^ory)  is  shown  below.  Its  derivation  is  shown  in  Figure  4-2. 
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Number  of  Government- Wide 
GMC  Systems  in  Category 


Category 

B 

C 

D 

E 


Category 
B 
C 
D 
E 


Average 
Purchase  Price 
Per  Category 


Government- Wide 
Total  Purchase  Price 
Per  Category 


Figure  4-2.  Average  Purchase  Price  of  GMC  Systems 


Category 

Government -Wide 
Number  of 

GMC  Systems 
in  Category 

Purchase  Price 
Totals  for 

Category 

1 

Average  Purchase 
Price 

B $50,000  to  $200,000 

747 

$90,000,000 

$120,480 

C $200,000  to  $500,000 

757 

$250,000,000 

$330,250 

D $500,000  to  $1,500,000 

615 

$540,000,000 

$878,000 

E over  1. 5 million 

492 

$1,800,000,000 

$3,658,500 

» 

Table  4-2.  Average  Purchase  Price  of  GMC  Systems 

Based  on  Government-Wide  Data  (Table  8 (INV  74)) 


At  the  risk  of  appearing  to  be  more  accurate  than  the  data  allows , the  average 
annual  cost  is  normalized  to  a pseudo-  rental  cost  using  the  relationships 

'purchase  price'  , . , . , 

^ = annual  rental  for  leased  systems 


'purchase  price' 


= annual  'rental'  for  owned  systems 


The  latter  relationship  recognizes  the  useful  life  of  a system  is  on  the  order 
of  6-8  years.  Since  there  is  no  data  on  the  number  of  leased  and  owned  systems . we 
will  assume  them  to  be  in  proportion  to  the  number  of  leased  and  owned  CPU's  (given 
in  the  summary  of  Systems  and  CPU's  by  Agency  and  Dep^tment  (INV  74)  p.  196) 
725/1022  (70. 9%)  of  the  GMC  CPU's  are  owned.  Applying  this  rate  to  the  base  of  923 
GMC  systems,  giyes  655  systems  owned,  and  268  systems  leased. 

I 

If  the  number  of  leased  and  owned  systems  in  each  price  category  is  assumed 
to  be  proportional  to  the  number  of  leased  and  owned  CPU's  in  each  category,  the 

I 

distribution  for  leased  and  owned  GMC  systems  shown  in  the  following  table  can  be 
developed.  The  various  data  elements  are  summarized  in  Table  4-3;  the  derivation 
of  the  elements  is  indicated  in  Figure  4-4. 
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Average  Purchase  Yearly  Cost  For 

Per  Category  Leased  Systems 


Yearly  Cost  For 
Owned  Systems 


Figiire  4-3.  Derivation  of  Yearly  Costs 
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Pseudo  Rental 
for  j Owned  Systems 


Figure  4-4.  Derivation  of  Data  Components  of  Cost  Study 
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Table  4-3.  Owned  and  Leased  CMC  Systems  With  Average  Annual  Costs 


Purchase 

Price 

Category 

Total 

GMC 

Systems 

GMC  Sys. 
Owned 
(70.  9%) 

GMC  Sys. 
Leas^ 

(29. 1%) 

Average  Yearly  Cost 
Owned  Leased 

B 

225 

159 

66 

$ 17,200 

$ 30,120 

C 

279 

198 

81 

$ 47,200 

$ 82,500 

D 

146 

104 

42 

$125,400 

$219,500 

E 

124 

88 

36 

$522,600 

$914,600 

Total 

774 

549 

225 

4.  3 COST  OF  ’’AVOIDING”  SECURITY  PROBLEMS 

Since  there  is  not  currently  a ’solution’  to  the  multi-level  security  problem,  the 
Air  Force  (and  other  organizations)  use  one  or  more  of  the  avoidance  techniques  dis- 
cussed earlier.  For  this  study,  the  percentage  and  number  of  installations  using 
a specific  technique  predominantly  was  estimated.  These  estimates  are  shown  in 
Figure '4-5. 

There  is  no  special  justification  for  the  figures  used.  Except  that  they  are 
in  rough  balance  with  what  has  been  observed  by  the  authof.  Since  the  author’s 
(or  anyone  else’s)  experience  is  limited,  any  other  ’mix’  may  be  substituted. 

The  security  problem  avoidance  techniques  have  been  discussed  previously 
except  for  the  category  ’no  problem’  which  is  meant  to  cover  systems  and  places 
where  no  classified  processing  is  done  at  all. 
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I 


Dedicated  Processing 
^ (3%) 


I 


Figure  4-5.  Estimated  Distribution  of  Security  Avoidance  Techniques 
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Figure  4-5  is  the  figure  to  change  in  a^Jlying  the  cost  evaluation  methodology 
if  any  other  *mix*  of  avoidance  technique  is  preferred. 

4.3.1  Dedicated  Processors 

As  discussed  in  Section  3. 2,  the  data  of  interest  is  the  cost  of  the  estimated 
25%  overage  overcapacity  due  to  use  of  dedicated  processing  to  avoid  security  pro- 
blems. We  can  obtain  this  directly,  using  the  data  in  Table  4-4. 

Taking  3%  of  the  total  to  represent  the  portion  of  systems  using  the  dedicated 
processors  technique  and  25%  of  that  total  to  represent  the  costs  due  to  security  gives  the 
annual  cost  of  a little  under  one  million  dollars. 

4. 3. 2 Periods  Processing 

The  periods  processing  (SCH  75)  cost  is  almost  entirely  due  to  the  lost  capacity 
at  changeover.  The  cost  is  treated  here  as  an  increase  in  the  utilization  cost  of  the 
system.  The  amount  of  time  it  takes  to  effect  a change  of  processing  classification 
depends  primarily  on  the  size  of  the  system. 

Data  was  obtained  from  GSA  that  gives  the  number  of  systems  (both  SMC  and 
GMC)  in  each  purchase  price  category  by  the  hours  of  utilization.  To  utilize  this  data, 
it  was  assumed  that  smaller  systems  (Purchase  Price  Categories  B,  C)  can  be  changed 
over  in  10  minutes,  and  larger  systems  (Purchase  Price  Categories  D and  E)  can  be 
changed  in  20  minutes.  Further,  it  is  assumed  that  there  are  two  transitions  per 
day  (one  from  unclassified  to  classified,  one  from  classified  to  unclassified). 

In  determining  costs  for  periods  processing;  it  was  decided  to  base  the  costs 
on  utilization  rather  than  total  available  time. 
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Table  4-4.  Costs  For  Dedicated  Processing 
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While  it  could  be  argued  that  if  a system  is  not  fully  utilized,  there  is  no 
’’cost”  associated  with  a color  change,  this  would  not  be  the  case  if  the  system  were 
fully  utilized. 

Whether  or  not  a system  is  fully  utilized  is  not  the  issue.  The  military 
d^artments  often  purchases  excess  capacity  in  systems  in  order  to  handle  ’surge’ 
processing  requirements  or  in  anticipation  of  applications  growth. 


Table  4-5.  Hours  of  Utilization  by  Purchase  Price  Category 

Number  of  Systems  (SMC  + GMC  Reporting  - 
Purchase  Price  Category 


% utilization 

Hrs.  of  SVC* 

B 

126  = 0 

C 

81  = 0 

D 

59  = 0 

E 

58  = 0 

0-10 

37 

20 

3 

0 

0 

10  - 20 

111 

17 

5 - 

4 

0 

20  - 30 

184 

43 

21 

7 

5 

30  - 40 

257 

11 

16 

6 

3 

40  - 50 

330 

13 

29 

19 

9 

50  - 60 

403 

7 

39 

41 

5 

60  - 70 

476 

12 

49 

28 

16 

70  - 80 

549 

6 

55 

11 

16 

80  - 90 

622 

18 

42 

11 

30 

90  - 100 

695 

56 

68 

27 

39 

TOTALS 

329 

408 

213 

181 

* The  midpoint  of  the  range  is  used  for  hours  of  service.  Using  the  midpoint 
introduces  approximately  - 1%  error  in  the  number  of  hours.  A maximum 
of  730  hours  (per  month)  is  reported  in  the  data. 
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The  data  on  system  utilization  gave  a count  of  the  number  of  systems  (both 
SMC  and  GMC)  reporting  a utilization  of  N hours.  Thus,  for  example,  in  the  purchase 
price  category  of  greater  than  1.  5 million,  there  were  two  systems  reporting  hours  in 
service  of  530  (per  month),  1 reporting  642  hours,  1 reporting  547  hours,  etc. 

This  data  was  grouped  by  purchase  price  category  into  the  number  of  systems 
reporting  0 - 10%  (0  -’73  hrs)  utilization;  10  - 20%  (74  - 146  hrs)  . . . etc.  Table  4-6 
shows  the  groupings. 

If  the  effective  utilization  of  a system  is  reduced  because  of  color  change  time, 
then  either  the  effective  planned  capacity  is  reduced  or  the  effect  of  color  changing  was 

I 

built  into  the  initial  system  sizing.  In  either  case,  there  is  a cost  associated  with  the 
security  avoidance  technique. 

We  define  a cost  of  'ownership'  as  costArs.  owned.  The  'costs'  are  those 
from  Table  4-3  (owned  and  leased  GMC  Systems  with  Average  Annual  Costs).  Owner- 
ship costs  by  purchase  price  categories  are  shown  for  leased  and  owned  systems  in 
Figure  4-7.  The  differences  are  in  the  payout  period  assumed.  See  Section  4-2 
for  a discussion  of  this  point. 

Table  4-6 

Hourly  'Ownership'  Costs  by  Purchase  Price  Cat^ory 
(Yearly  Costs/8760  = Hourly  Rate) 

» 

1 

Purchase  Price  Owned  Leased 

Category  Systems  Systems 


B 

$ 1.96 

$ 

3.44 

C 

$ 5.38 

$ 

9.42 

D 

$14.31 

$ 25.  05 

E 

$59.  65 

$104.40 
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The  computation  of  the  cost  of  periods  processing  requires  evaluation  of  the 
following  expression. 

Annual  Number  of 

Average  Hrs.  Utilized  x Cost  of  ^stem  x Systems  x Reduction  of 

(owned,  leased)  (owned,  leased)  Effective  Utilization 

Since  the  data  is  already  grouped  by  average  hours  utilized,  the  number  of 
systems  reported  for  each  overage  utilization  were  distributed  between  owned  and 
leased  systems  by  taking  70. 9%  as  owned  (to  the  nearest  whole  number)  and  the 
difference  as  leased. 

The  reduction  of  effective  utilization  is  taken  from  Table  4-7  where  it  is 
computed  independently. 

Percent  Utilization  Reduction  of  effective  utilization  when 

(Midpoint  of  Range)  changeover  time  t equals 


10  minutes 

20  minut 

5 

.281 

.562 

15 

.091 

.182 

25 

,054 

.109 

35 

.04 

.08 

45 

.03 

.03 

55 

,024 

.049 

65 

.02 

.04 

75 

,018 

.036 

85 

.016 

.032 

95 

,014 

,028 

Table  4-7 

Reduction  of  Effective  Utilization 
U - NT 

(1  - — — ) as  a function  of  percent  of  utilization 
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Table  4-8  (a) 

Monthly  Costs  of  Periods  Processing 
Purchase  Price  Category  B ($50,  000  - $200, 000) 


00 
b-  O 
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$ 4,  735/mo. 


Monthly  Costs  of  Periods  Processing 
Purchase  Price  Category  C ($200,000  - $500,000) 
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$252,504/yr. 


Monthly  Costs  of  Periods  Processing 
Purchase  Price  Category  d ($500,000  - $1.  5 million) 


CO 

o 

tH 

<N 


S2  CO 

CO  o 
CO  05 


o 

CO 

CO 

o 

CO 


39 


$ 52,276/mo. 


Monthly  Costs  of  Periods  Processing 
Purchase  Price  Category  E ( > 1.5  million) 
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$174, 974/mo. 


The  detailed  data  of  Table  4-8(a)  through  4-8(d)  gives  only  gross  monthly  costs 
assuming  ^ USAF  systems  were  using  only  periods  processing.  Summing  the  monthly 
costs  of  each  purchase  price  category  and  multiplying  by  12  gives  the  gross  yearly 
costs.  Taking  75%  (the  estimate  of  the  number  of  USAF  srystems  using  the  technique) 
of  that  gives  an  annual  cost  of  periods  processing  of  approximately  $2,253,000. 

4,3.3  System  High 

Typical  systems,  regardless  of  their  physical  size  have  between  30  and  50 
'users'.  Users  in  this  case  are  offices  or  other  organizational  entitles  who  use  com- 
puters for  management,  planning,  and  control.  Specifically  excluded  are  professional 
programmers,  system  analysts  and  similar  personnel  operating  to  support  users  of 
the  kind  noted  above,  * 

Each  'user'  as  defined  above  may  have  from  2 to  possibly  10  Individuals  who 
are  authorized  to  submit  work  to  and  accept  results  from  a computer  system. 

While  occasslonally  it  will  occur  that  programming  and  other  support  staff  do 
not  have  appropriate  clearances  for  system  high  operation,  more  frequently  an  entire 
office,  or  a significant  number  of  those  authorized  to  'use'  a system  do  not  have  the 
needed  clearances. 

The  average  cost  of  obtaining  a higher  clearance  is  difficult  to  establish. 
Independent  inquiry  into  this  matter  elicited  a figure  of  $281  for  the  cost  of  a back- 
ground investigation  alone.  A clearance  is  variously  estimated  at  $350  and  up.  Some 
sources  indicate  well  over  $5,000  for  any  of  the  special  clearances.  For  this  estimate 
we  will  use  $1,000  for  new  clearances  SECRET  or  above.' 

The  number  of  'new'  clearances  required  each  ye^  at  an  installation  is  a 
function  of  the  turnover  rate  and  the  proportion  of  uncleared  (for  the  system  high 
level)  personnel  to  the  total  new  personnel.  The  cost  of  'new'  clearances  each  year  is 
then  given  by: 

* Excluding  programming  and  other  computer  support  personnel  from  this 
estimate  results  in  lower  costs  being  allocated  to  this  avoidance  technique 
than  would  otherwise  be  expected. 
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proportion  of 
turnover  uncleared  to 

X 

rate  total  number 
of  new  users 


number  of 
users  per  x 
installation 


nunaber  of 
Installations 


cost 

X per  X 
clearance 


proportion  of 
total  systems 
using  system 
'high*  as  an 
avoidance  technique 


A turnover  rate  of  15%  and  a proportion  of  uncleared  to  total  new  users  of  1 in  8 or  12. 5% 
is  used. 

In  the  Inventory,  there  are  113  CONUS  locations  named  as  the  sites  of  various 
kinds  of  systems  and  150  located  ’’overseas,  ” While  a few  of  these  installations  are 
undoubtedly  unique  SMC  systems , we  have  lumped  them  all  tc^ether  and  are  dealing 
with  approximately  263  USAF  system  installations.  (There  is  even  greater  error  due 
to  treating  such  locations  as  ”Washington,  DC”  or  SCOTT  AFB  as  a single  installation 
when  they  are  known  to  be  the  site  of  multiple  installations, ) 

An  average  of  300  'users'  (as  described  above)  per  Installation  is  used. 


With  these  data,  the  annual  cost  of  system  high  operations  is: 
. 15  X . 125  X 300  X 263  X $1000  X . 1 = $148,  000 


4. 3, 4 Summary  of  Current  Security  Costs* 

The  annual  costs  of  security  problem  avoidance  is  shown  in  the  table  below: 

Technique  Cost 

Dedicated  Processing  $900, 000 

Periods  Processing  $2,250,000 

System  High  $148,000 


$3,357,000 

Table  4-9.  Summary  of  Estimated  Current  Costs  of  Avoidance  Techniques 


* It  should  be  clearly  understood  that  these  estimates  Involve  only  current  readily 

identified  continuing  costs.  If  the  analysis  had  attempted  to  take  into  account  additional 
costs  due  to  lack  of  solutions  to  the  problem,  (e.g.  requirement  to  secure  all  communica- 
tions lines  connected  to  a computer  system  containing  classified  data  regardless  of  the 
classification  of  work  actually  handled  by  the  links;  requirement  to  physically  protect 
terminals  at  the  level  of  the  classification  of  data  contained  in  the  systems,  etc. ) the  costs 
would  be  many  times  higher. 
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4 . 4 FUTURE  SYSTEMS  COSTS 


Future  systems  security  costs  are  both  the  cost  of  obtaining  secure  systems 
and  the  increased  costs  of  operations  if  such  systems  are  not  available. 

Basically,  the  increased  operations  cost  factors  are  those  previously  discussed 
as  costs  of  security  problem  avoidance  plus  an  undeterminable  cost  of  not  making  effective 
use  of  systems  because  of  security  problems.  It  is  most  unlikely  that  the  objectives  planned 
for  new(er)  systems  of  more  on-line,  interactive  working  and  more  accurate,  timely,  and 
meaningful  reporting  for  management  purposes  and  the  like  will  be  surrendered.  The 
consequence  is  that  more  of  the  avoidance  techniques  that  completely  eliminate  security 
problems  (i.  e.  systems  high  and  dedicated  processors)  will  be  used.  The  number  and 
percent^e  of  installations  using  these  techniques  can  be  expected  to  increase  if  proper 
internal  controls  are  not  put  into  newer  systems  for  which  hardware  will  be  acquired  in 
the  1975-1980  time  frame. 

What  of  the  future?  Using  data  from  the  Inventory,  the  Federal  Government 
as  a whole  has  increased  its  use  of  computers  by  the  following  amounts  over  the  5 and 


4 year  periods  shown. 

Average  Annual 

Average  Annual  Increase 

Type  of  System 

Increase  % (1970-1974) 

(1971  - 74) 

SMC 

21^% 

23% 

GMC 

2.  8% 

0.5% 

Combined 

10.3% 

10% 

Table  4-10.  Government  Wide  Growth  in  Use  of  Computers 

The  lack  of  growth  in  the  GMC  category  is  suspicious  on  the  surface,  however, 
the  rapid  growth  rate  for  SMC  systems  suggests  that  there  is  an  incentive  for  reporting 
new  systems  in  the  SMC  cati^ory.  Alternatively  one  would  be  led  to  believe  that  the 
entire  government  was  acquiring  only  new  Special  Management  Category  systems,  while 
retaining  or  replacing  GMC  systems  on  a one-for-one  basis.  This  is  not  likely. 
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A similar  phenomenon  is  evident  in  data  for  the  USAF  which  shows  the  following 
pattern. 

Type  of 


System 

1970 

1971 

1972 

1973 

1974 

SMC 

169 

232 

315 

387 

426 

GMC 

993 

975 

1000 

962 

923 

TOTAL 

1162 

1207 

1315 

1349 

1349 

Growth  Rate  of  USAF  GMC  System  - -1.8% 

Growth  Rate  of  Total  USAF  Systems  - 3. 8% 

Table  4-11 

The  combined  figure  of  3. 8%  is  used  since  it  is  believed  to  accurately  reflect 
the  true  growth  of  computer  use  in  the  Air  Force. 

The  3. 8%/year  growth  in  computer  holdings  is  projected  foirward  for  6 and  11 
years  giving  estimates  of  the  number  of  systems  held  by  the  USAF  in  1980  and  1985. 

Thus,  in  1980  one  exjjects  on  the  order  of  1655  USAF  systems,  and  in  1985  approxi- 
mately 1912  systems. 

4.  5 SOLUTION  METHODS 

In  analyzii^  the  impact  of  a particular  solution  method,  we  recognize  that  the 
solution  methods  are  not  universally  applicable  and  wish  to  take  this  into  account.  As 
an  example,  the  Job  Stream  Separator  (JSS)  can  only  be  effectively  used  in  those  installa- 
tions where  classified  processing  can  be  anticipated  and  ^’scheduled"  in  some  sense. 

It  is  not  a suitable  solution  method  for  those  installations  havii^  a continuous  (albeit 
not  totally  system-consuming)  classified  workload  or  where  the  classified  application(s) 
must  be  on-line  to  satisfy  availability  requirements.  Likewise,  secure  VM  systems  are  a 
solution  primarily  to  hardware  sharing  requirements.  While  it  is  technically  possible 
to  consider  a limited  form  of  data  sharing  in  the  VM  context,  such  sharing  would  be 
grossly  inefficient  and  is  better  handled  in  the  certified  systems  approach. 
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It  should  also  be  evident  that  given  a certified  data  sharing  system,  the  need 
to  consider  VM's  is  eliminated,  since  the  data  sharing  systems  must  include  as  an 
integral  part  of  their  design  the  demonstrated  ability  to  isolate  users  one  from  another  — 
thus,  subsuming  VM  systems. 

While  a variety  of  cost  comparisons  could  be  developed,  we  are  interested  in 
what  cost  impact  could  be  expected  from  pursuing  each  of  the  ’’solution”  techniques 
exclusively,  recognizing  the  application  limitations  associated  with  JSS  and  VM's. 

JSS  seen  as  a solution  alternative  to  periods  processing  (as  a higher  speed 
method)  is  straight  forward.  Less  obvious  is  how  to  allocate  VM's.  In  examing  the 
cases,  it  was  decided  that  VM’s  could  be  considered  a solution  alternative  for  dedicated 


processors  because  dedicated  processors  have  rto  special  implication  of  data  sharing, 
while  'system  high'  operation  has  an  implication  that  some  data  is  shared.  The  associa- 
tion of  VM  with  dedicated  processors  was  made  accordingly. 

Finally,  the  costs  associated  with  Certified  Systems  are  computed  assuming  that 
the  Certified  Systems  are  applied  to  a base  that  includes  the  systems  in  both  the 
dedicated  processing  and  systems  high  categories. 

All  of  these  various  approaches  are  compared  with  the  expected  costs  of  using 
the  avoidance  techniques  described  above. 

4.5.1  Costs  of  Avoidance  Techniques  1980.  1985 

Simple  extrapolation  of  the  current  estimated  avoidance  costs  result  in  the 
following: 


Cumulative  Costs 


1974  - 1980 

$19,985,000  - $21,170,000* 


1974  - 1985 

$36,630,000  - $44, 460,  000* 


*Slmple  and  compound  growth  at  3. 8% 
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Figure  4-6.  Change  in  Estimated  Distribution  of  Security 
Problem  Avoidance  Techniques 
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Average  Annual  Costs 


1985 

(Base  1912  ^stems) 


1980 

(Base  1655  ^sterns) 


$3,940,000/yr  $4,550,000/yr 

However,  such  a simple  extrapolation  would  not  adequately  take  into  account 

I 

known  trends  that  contribute  more  pressure  for  at  least  hardware  sharing,  as  well 
as  more  requirements  for  data  sharing. 

The  trends  that  are  evident  include;  increased  use  of  interactive/remote  terminals  , 
greater  integration  of  computers  into  on-going  operational  daily  routine  (computer  itself 
less  visible  to  users) , greatly  increased  use  of  networking  for  making  computer  avail- 
able to  users. 

The  results  of  these  trends  is  to  change  the  distribution  of  the  security  problem 
avoidance  techniques  used.  Reflecting  increased  on-line  and  real-time  working,  it  is 
expectedthat  periods  processing  can  be  used  less  frequently  as  a security  problem  avoid- 
ance technique,  and  that  there  will  be  an  increase  in  the  percentage  of  installations 
using  dedicated  processors  and/or  system  high  operation.  Accordingly,  the  distribution 
in  table  4-12  was  changed  to  reflect  tiiese  trends.  This  is  shown  in  the  table  below; 


Technique 

Est,  % of  USAF 
Installations  using 
in  1980 

Change  from 
Figure  4 1-5 

Est.  % of  USAF 
Installations 
using  in  1985 

Change 

from 

Figure  4-5 

Dedicated  Processors 

13 

+10  I 

23 

+20 

Periods  Processing 

50 

-25 

30 

-45 

^stem  High 

25 

+15 

35 

+25 

No  Problem 

12 

0 

12 

0 

Table  4-12 

Estimated  Distribution  of  Security  Problem 
Avoidance  Techniques  for  1980,  1985 

Using  the  modified  distribution  of  security  problem  avoidance  techniques  shown  in 
Table  4-12  and  the  projected  number  of  systems  of  1655  (1980)  and  1912  (1985)  the  costs  for 
dedicated  processors  is  shown  in  the  following  two  tables. 
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Table  4-13(a) . Average  Annual  Cost  of  Dedicated  Processing  1980 


GMC  Average  GMC  Average 

Purchase  Price  Systems  Yearly  Cost  Systems  Yearly  Cost 

Category  (owned)  (owned)  (A  x B)  (leased)  (leased)  (D  x E) 
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Table  4-13(b).  Average  Annual  Costs  of  Dedicated  Processing,  1985 


The  following  8 tables  develop  the  costs  of  periods  processing  expected  in 
1980  and  1985.  The  costs  are  the  sum  of  the  annual  costs  for  each  purchase  price 
category  multiplied  by  the  percent  of  USAF  systems  e;q>ected  to  be  utilizing  periods 
processing  in  1980  and  1985.  This  is  summarized  below. 


Purchase  Price 
Category 

Total  Annual  Costs 

For  Periods  Processing 
(All  Systems) 

1980 

1985 

B 

$ 

143, 736 

$ 160,960 

C 

$ 

622,092 

$ 712,200 

D 

$ 

773,256 

$ 811,080 

E 

$2,584,980 

$2,995,000 

$4, 124, 064 

$4, 679,240 

X .50 

X . 30 

$2,062,000 

$1,403,000 

Table  4-14.  Summary  of  Annual  Costs  of  Periods  Processing,  1980-1985 
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Table  4-14(a).  Periods  Processing  Costs,  Purchase  Price  Category  B,  1980 
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Table  4-14 (b).  Periods  Processing  Costs,  Purchase  Price  Category  C,  1980 
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Table  4-14 (c).  Periods  Processing  Costs,  Purchase  Price  Category  D,  1980 


Purchase  Price  Category  e (>  1.  5 million) 
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$2,584,980/yr. 

Table  4-l4(d).  Periods  Processing  Costs,  Purchase  Price  Category  E,  1980 


Purchase  Price  Category  B ($50,000  - $200,000) 
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$160,960/yr. 

Table  4-14(e).  Periods  Processing  Costs,  Purchase  Price  Category  B,  1985 


Purchase  Price  Category  C ($200,000  - $500,000) 
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Table  4-14(f).  Periods  Processing  Costs,  Purchase  Price  Category  C,  1985 


Purchase  Price  Category  D ($500,000  - $1.5  million) 
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$811, 080/yr. 

Table  4-14(g).  Periods  Processing  Costs,  Purchase  Price  Category  D,  1985 


Purchase  Price  Category  E (>  1.  5 million) 
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Table  4-14 (h).  Periods  Processing  Costs,  Purchase  Price  Cat^ory  E,  1985 


Using  the  modified  distribution  of  security  problem  avoidance  techniques  in 
Table  4-16,  the  cost  range  for  avoidance  techniques  is; 

1980  1985 

(Base  = 1655  systems)  (Base  g 1912  systems) 


(in  $ millions) 

(in  $ millions) 

Dedicated 

Processors 

$4, 860,000 

$ 9,930,000 

Periods 

Processing 

$2,062,000 

$ 1,403,000 

Systems 

High 

$ 147,937 

$ 207,112 

$7,070,000 

$11,540,000 

Table  4-15 

Costs  of  Security  Problem  Avoidance  Techniques  1980, 1985 

The  main  component  of  the  increases  are  due  to  the  projected  increased  use 
of  dedicated  systems  to  avoid  security  problems. 


4. 5. 2 Job  Stream  Separator 

The  Job  Stream  Separator  automates  the  changeover  functions  associated  with 
periods  processing.  The  major  cost  elements  are  the  development  costs  and  the  per- 
system  special  equipment  costs.  These  costs  are  estimated  at  $685,000  and  $75,000 
respectively  in  (Sch  75).  The  time  to  effect  a 'color  change*  with  JSS  is  expected  to 
be  on  the  order  of  10  minutes.  The  number  of  changes  per  day  is  expected  to  be  2. 
The  average  reduction  in  utilization  (due  to  periods  processing)  over  all  purchase 
price  categories  and  all  utilizations  is  3,  2%. 

The  initial  costs  are; 


I X $75,000  + 


$685.000 

I 


+ . 032  C. 


where  I (=  828,  half  of  the  systems  in  1980)  is  the  number  of  systems  and  C is  the 
cost  of  periods  processing  systems. 
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The  $75,000  per  system  Investment  cost  (for  mini  computer  hardware,  spares, 
transportation,  etc. ) is  so  overwhelming,  that  the  other  factors  cannot  be  noticed. 
Even  assuming  price  reductions  due  to  the  volume  involved,  to  10%  of  the  estimated 
per-system  cost,  the  Initial  investment  would  be 

828  x$7500  .032  x.50  x$149,579,000  = $8,604,000 

828 

The  operating  costs  are  estimated  at  $5, 000/year  per  system  or  $4,140,000. 
By  1985,  the  operating  costs  will  be  30%  of  1912  systems  expected  to  be  In  existence 
then  X $5,  000  or  $2,  868,  000. 

4.5.3  VM  Systemg 

The  development  costs  for  a VMM  have  been  estimated  variously  from 
$1  million  to  $3  to  $4  million.  These  are  believed  to  be  too  high.  A reasonable 
estimate  for  a larger  system  is  approximately  $500,000.  The  per-system  hardware 
modifications  to  support  a VMM  are  estimated  to  be  on  the  order  of  10%  of  the  hard- 
ware costs.  Finally,  the  overhead  of  such  systems  is  expected  to  be  on  the  order  of 
15%.  Using  these  data,  the  initial  cost  of  creating  a VMM  is  the  initial  developmoit 
cost  (e.  g.  $500,000  per  machine  type),  and  the  cost  of  hardware  modifications  for 
the  VMM  (10%  of  the  machine  base  costs).  Since  we  have  indicated  that  VMM  are 
logical  substitutes  for  dedicated  processors,  the  data  from  Table  4-13 (a)  and  4-13 (b) 
is  used  as  the  basis  for  estimating  the  costs  associated  with  VMM. 

If  we  assume  no  more  than  4 VMM  types  would  be  necessary  to  cover  the 
bulk  of  the  systems;  the  initial  costs  are; 

$2,  000,000  (for  4 VMM's) 

$1, 944,000  (for  hardware  mods) 

$3,944,000  (total  initial  costs) 

Annual  costs  for  1980  would  be 

.15xl.075  x .13  X $149,  579,000  = $3, 135,  549/year 
For  1985,  with  more  systems,  but  presumably  no  more  developments,  the  costs  are: 

. 15  X 1. 075  X . 23  X $172, 807,  000  = 6.  408,  000/year 
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4. 5. 4 Certifiable  Systems 


The  development  costs  for  certifiable  systems  are  jDn  the  order  of  10  million. 
The  additional  cost  of  hardware  to  support  the  development  on  any  given  system  is 
on  the  order  of  10%.  Finally  the  operating  overhead  costs  are  equally  expected  to 
be  on  the  order  of  5%.  ! 

The  initial  costs  are  expected  to  be  on  the  order  of  $3, 000, 000  plus  10%  of 
the  hardware  base  cost. 


$3,000,000 
5,680, 000 


Initial  Development  Costs: 
Hardware  Modifications: 


$8,680;000 


The  annual  costs  for  1980  would  be: 

I 

.05  X 1.1  X.  38  X 149, 579,  000  = $3,126,000, 
where  the  38%  of  the  expected  system  base  includes  all  dedicated  processing  and 
system  high  operation. 

For  1985,  the  costs  are 

. 05  X 1.  lx.  58  X $172,  807,  000  = $5,513,000. 
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% of  Systems  Using  Technique 


Technique 


1974  1980  1985 


Periods 

Processing 


System 

High 


Dedicated 

Processing 


No  Classified 
Processing 


Figure  4-7 

Expected  Trends  in  Use  of 
Security  Problem  Avoidance  Techniques 


1974  - 1985 
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4. 6 SUMMARY 

Summary  data  is  presented  in  Table  4-16  and  Figures  4-8  and  4-9 
From  these  data  a number  of  conclusions  can  be  drawn. 

1.  The  cumulative  costs  of  avoiding  security  problems  are  expected  to 
reach  approximately  $85,000, 000  by  1985.  Cumulative  costs  assuming  the  avail- 
ability of  VMM  or  Certified  Systems  would  be  expected  to  reach  approximately 
$70,000. 000  hy  1985.  The  bulk  of  the  effect  of  VMM  or  Certified  S|ystems  would  be 
expected  to  occur  in  the  period  1980-1985. 

2.  The  Job  Stream  Separator  program  has  mostly  n^ative  impact  on 
computer  security  costs  and  should  not  be  pursued.  ^ I 

I 

3.  Either  VMM  or  Certifiable  Systems. would  have  a significant  impact 
on  reducing  costs  of  computer  security  avoidance  techniques.  Although  the  cumula- 
tive projected  costs  for  certifiable  systems  is  2 to  3 million  dollars  higher  than  the 
VMM  only  costs,  it  must  be  kept  in  mind  that  the  certifiable  systems  approach  can 
be  aiplied  to  40-60%  of  the  systems,  while  the  VMM  aiproach  covers  from  13  to  23% 
of  the  problem.  Certifiable  systems  also  permit  satisfying  "mission  essential" 
requirements  that  are  predicated  on  information  sharing. 


i 

I 


Other  studies  (SCH75)  show  that  even  this  alternative  is  Jcost  effective  even  if 
only  applied  to  a few  WWMCCS  sites.  This  discrepancy  is  not  so  much  a reflection 
that  the  other  estimates  are  many  as  they  are  a reflection  of  the  hi^ly  conserva- 
tive (possibly  to  the  point  of  unrealistically  low)  estimate  of  the  cost  of  avoidance 
are  used  in  this  stucfy  due  to  the  lack  of  definitive  data  to  support  what  might  well  be 
more  "reasonable"  costs. 
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74 

75 

76 

77 

78. 

79 

80 

81 

82 

83 

84 

85 

74 

75 

76 

77 

78 

79 

80 

81 

82 

83 

84 

85 


Cum. 

Cum. 

3.209 

3.  209 

74 

3.209 

3.  209 

4.484 

7.693 

75 

3.85 

7.  061 

5.760 

13.  453 

76 

4.  49 

11.55 

7.036 

20.  489 

77 

5.14 

16.  69 

8.31 

28.  799 

78 

5.78 

22.47 

9.587 

38.  38 

79 

6.  43 

28.90 

10.868 

49.  24 

80 

7.07  . 

35.97 

11.638 

60.88 

81 

7.96 

43.93 

12.410 

73.  28 

82 

8.86 

52.79 

13. 181 

86.  46 

83 

9.75 

62.54 

13.953 

100.  41 

84 

10.65 

73.19 

13.005 

113.  42 

85 

11.54 

84.  73 

VMM 

Cum. 

Certified  Systems 

Cum. 

3.209 

74 

3.209 

3.696 

6.90 

75 

3.828 

7.04 

4. 184 

11.08 

76 

4.  45 

11.49 

4.671 

15.  75 

77 

5.07 

16.56 

5.159 

20.  92 

78 

5.69 

22.25 

5.65 

26.57 

79 

6.30 

28.55 

6. 134 

32.  70 

80 

6.  924 

35.47 

6.  668 

39.  36 

81 

7.269 

42.74 

7. 203 

46.  56 

82 

7.  615 

50.36 

7.  737 

54.3 

83 

7.960 

58.32 

8.272 

62.57 

84 

8.  306 

66.63 

8.018 

70.  59 

85 

6.916 

73.54 

Table  4.-16.  Summary  of  Expected  Annual  and  Cumulative  Costs 
For  Different  Development  Strategies 
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Figure  4-9  . Expected  5 Year  Annual  Costs  of  Various 
Security  Development  Policies 


5.  CRITICAL  ASSUMPTIONS 


5. 1 INTRODUCTION 

Studies  of  this  kind  are  replete  with  assumptions  regarding  how  data  process- 
ing is  utilized,  the  numbers  of  systems  involved,  etc.  It  is  recognized  that  with 
better  data,  the  numbers  would  be  e:q}ected  to  change.  As  a guide  to  the  reader  who 
wishes  to  make  use  of  his  own  data  for  any  of  the  computations  in  this  report,  the 
key  assumptions  made  are  sununarized  in  this  section.  They  have  been  noted  in 
the  body  of  the  report  as  well. 


5. 2 ASSUMPTIONS 

A.  The  distribution  of  the  number  of  SMC  and  GMC  systems  in 
each  purchase  price  category  is  in  proportion  to  the  totals 
923/1349  for  GMC  systems  and  426/1349  for  SMC  systems. 

B.  The  average  purchase  price  for  USAF  systems  in  each  purchase 
price  category  is  proportional  to  the  data  for  Government- 
wide systems. 

C.  That  the  estimated  % of  USAF  installations  currently  using  a 
particular  security  problem  avoidance  teclmique  predominently 
is  as  shown  in  Figure  4-5. 

D.  The  annual  'rental'  for  leased  systems  is  the  'purchase  price' /4 
and  the  annual  'rental'  for  owned  systems  is  the  'purchase 
price'/?. 

E.  The  number  of  owned  and  leased  systems  in  the  USAF  is  proportional 
to  the  number  of  owned  and  leased  CPU's.  ; 

t 

I 

F.  The  number  of  USAF  system  Installations  is  approximately  260. 

G.  The  trends  to  on-line  and  real-time  systems  will  change  the 
estimated  % distribution  of  use  of  avoidance 'techniques  for  1980 
and  1985  to  that  shown  in  Table  4-12. 

H.  Twenty -five  percent  is  the  average  fraction  of  over -capacity  due 
to  the  security  avoidance  technique  of  dedicated  processing. 
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I.  Replacement  personnel  have  existing  clearances  in  proportion 
to  those  that  exist  among  the  personnel  in  the  installation  as 

a whole. 

J.  Reduction  in  effective  utilization  of  systems  due  to  periods 
processing  is  equivalent  to  an  increase  in  the  dollar  cost  of  a 
system  even  if  the  system  is  not  fully  utilized. 

K.  The  over  capacity  in  systems  is  planned  in  general,  and 
reduction  of  it  increases  cost  (in  some  way). 

L.  In  assessing  the  impact  of  possible  development  paths,  it  was 
assumed  that  JSS  would  be  primarily  an  alternative  to  periods 
processing,  VM’s  would  be  primarily  an  alternative  to  dedicated 
processors,  and  certified  systems  would  be  primarily  an  alterna- 
tive to  both  dedicated  processors  and  systems  hi^  operations. 

While  certified  systems  could  also  be  alternative  to  periods 
processing,  none  of  the  cost  computations  took  this  into  account. 

M.  ^ attempt  was  made  to  factor  in  costs  associated  with  secure 
commimications , physical  site  preparation,  lost  opportunity 
costs,  and  the  like.  This  is  in  part  because  there  is  no  easy  way 
to  allocate  such  costs,  nor  are  they  known  in  the  same  terms 

of  reference  as  used  in  this  study. 

N.  Linear  extrapolation  from  1974  problem  avoidance  costs  to  1980 
projected  costs  for  the  various  strategic  alternatives  doesn't 
introduce  any  slghlflcant  error. 

5. 3 CAUTIONS 

This  study  only  considers  selected  costs  — those  easily  estimated  from  the 
macroscopic  data  on  the  number  of  systems  of  various  types  found  in  the  Inventory 
of  Automatic  Data  Processing  Equipment.  Many  other  very  real  costs  such  as  those 
associated  with  secured  communication  or  physical  protection  of  terminals  connected 
to  classified  systems  have  not  been  considered.  Neither  has  there  been  any  attempt 
to  quantify  reduced  effectiveness  of  installations  and  systems  because  of  the  need  to 
enqjloy  one  or  more  of  the  avoidance  techniques  noted  above. 

An  individual  with  better  data  could  imdoubtedly  produce  a better  study  than 
this.  However,  in  spite  of  the  very  obvious  limitations  of  the  data  and  the  heavy 
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use  of  estimated  distributions,  It  Is  believed  that  the  figures  indicate  that  present 
sectu*lty  practices  have  measurable  costs,  and  that  these  can  be  greatly  improved 
using  modern  technology.  | 


i 
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MISSION 
OF  THE 

DIRECTORATE  OF  COMPUTER  SYSTEMS  ENGINEERING 


The  Directorate  of  Computer  Systems  Engineering 
provides  ESD  with  technical  services  on  matters 
involving  computer  technology  to  help  ESD  system 
development  and  acquisition  offices  exploit  computer 
technology  through  engineering  application  to  enhance 
Air  Force  systems  and  to  develop  guidance  to  minimiae 
R&D  and  investment  costs  in  the  application  of  computer 
technology. 

The  Directorate  of  Computer  Systems  Engineering 
also  supports  AFSC  to  insure  the  transfer  of  computer 
technology  and  information  throughout  the  Command, 
including  maintaining  an  overview  of  all  matters  pertain- 
ing to  the  development,  acquisition,  and  use  of  computer 
resources  in  systems  in  all  Divisions,  Centers  and 
Laboratories  and  providing  AFSC  with  a corporate 
memory  for  all  problems /solutions  and  developing 
recommendations  for  RDTStE  programs  and  changes  in 
management  policies  to  insure  such  problems  do  not 
reoccur. 
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